Security Experts Blast Microsoft
With Microsoft calmly asserting that it plans to release a patch for a widespread vulnerability on January 10, security experts are advising concerned administrators to download a third-party patch.
On Tuesday, Microsoft issued a statement acknowledging a vulnerability in the Windows Meta File (WMF) code in Windows operating systems including XP, Server 2003, ME, 98, and 2000, as well as versions of Lotus Notes. The flaw has led to a spate of exploits centered around Microsoft's Internet Explorer and Messenger software.
In its statement, Microsoft said it's delaying release of the patch, which was accidentally made available today, "to assure customers that they can be deployed effectively in all languages and for all versions of the platform with minimum down time."
The company's rationale for delaying release until its traditional "Patch Tuesday," the second Tuesday of every month, didn't sit well with security experts and developers, who have both condemned it for the delay and encouraged administrators to install either the accidentally leaked patch from Microsoft or an alternate version provided by Ilfak Guilfanov.
In an angry post on the SANS Internet Storm Center diary, an author wrote "In [Microsoft's] rosy vision of the future, over the next seven days, nothing bad is going to happen. The fact that there are point-n-click toolz to build malicious WMFs chock full o' whatever badness the kiddiez can cook up doesn't exist in that future. The merry, lil' Redmond Oompa Loompas are chanting "Our patch isn't ready / you have to wait / so keep antivirus / up-to-date" which makes perfectly accurate, current AV signatures appear on every Windows computer - even those with no antivirus software."
The SANS site has been advocating users download Guilfanov's patch, and even went so far as to provide an installer package for it. The site also provided an outline of actions network administrators should take to deal with WMF-related security emergencies, warning that communications may be affected, and that even if internal networks remain protected from problems, other infected networks may pose problems to Internet-facing systems.